[BUG] optional dependencies for OS/CPU package variants are being pruned unexpectedly

[i-like-robots]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

Starting from npm v10.3.0, optional dependencies for OS and CPU package variants are being pruned from package-lock.json when running npm install and a node_modules folder is present. This breaks npm installs when the resulting lockfile is pulled onto other platforms - such as devs working on their Macs (darwin/arm64) who are pushing their code to CI (linux/x64). This change in behaviour does not appear to be intentional as it is not documented or referenced anywhere. Possibly related to #7543. Possibly a dupe of #4828 and #7750.

The issue may be mitigated by deleting node_modules/ before running the install command.

Expected Behavior

Optional OS and CPU package variants should not be pruned from package-lock.json as was the behaviour prior to npm v10.3.0 to allow the lockfile to be used for cross-platform installs.

Steps To Reproduce

Unexpected behaviour ❌:

1. mkdir test && cd test
2. npm init -y
3. npm i -D rollup
4. Read package-lock.json - observe 18 OS/CPU@rollup/* package variants are listed
5. rm package-lock.json
6. npm i
7. Read package-lock.json - observe only 1 OS/CPU @rollup/* package variant is now listed for the current platform

Expected behaviour test 1 ✅:

1. mkdir test && cd test
2. npm init -y
3. npm i -D rollup
4. Read package-lock.json - observe 18 OS/CPU@rollup/* package variants are listed
5. rm -rf node_modules
6. npm i
7. Read package-lock.json - observe 18 OS/CPU@rollup/* package variants are listed

Expected behaviour test 2 ✅:

1. mkdir test && cd test
2. npm init -y
3. npm i -D rollup
4. Read package-lock.json - observe 18 OS/CPU@rollup/* package variants are listed
5. npm i -D esbuild
6. Read package-lock.json - observe 18 OS/CPU@rollup/* package variants are listed

Environment

• npm: 10.9.2
• Node.js: 22.17
• OS Name: macOS 14.5
• System Model Name: M1 Macbook Pro
• npm config:

; node bin location = /Users/xxx/.nvm/versions/node/v20.17.0/bin/node
; node version = v20.17.0
; npm local prefix = /Users/xxx/Projects/test
; npm version = 10.9.2
; cwd = /Users/xxx/Projects/test
; HOME = /Users/xxx
; Run `npm config ls -l` to show all defaults.

[kchindam-infy]

@i-like-robots by running the above commands u mentioned we are not getting any issue which above mentioned. by running the commands above mentioned by u we get 18 package variants before deleting the package-lock.json and after deleting package-lock.json we get the same 18 package variants.this is not an issue

[i-like-robots]

Thanks for your comment @kchindam-infy, unfortunately we have multiple users affected by this issue and I am able to recreate the issue myself on multiple machines, node and npm versions.

If it helps to diagnose the issue further, I have made a screen recording performing the steps reproducing the unexpected behaviour;

Screen.Recording.2024-12-08.at.21.35.16.min.mov

[kchindam-infy]

Hi @i-like-robots This is not reproducible in 10.9.2 latest npm . The video you share npm version shows 10.9.0. Update to latest version and try again

[i-like-robots]

I can confirm this is still an issue in v10.9.2 @kchindam-infy and this has also been confirmed by multiple users on M1-M4 equipped MacBooks.

[kchindam-infy]

@i-like-robots checked the issue with the updated versions npm 10.9.2 what u mention getting the expected behaviour for my self.